On 20.06.2016 19:41, Markus Koschany wrote: > On 20.06.2016 19:38, Moritz Muehlenhoff wrote: >> On Mon, Jun 20, 2016 at 06:48:58PM +0200, Markus Koschany wrote: >>> Hello, >>> >>> I am thinking about to upgrade mysql-connector-java to the latest stable >>> version in Wheezy and Jessie to address >>> >>> https://security-tracker.debian.org/tracker/CVE-2015-2575 >>> >>> As usual Oracle does not provide concrete information about the >>> vulnerability or a patch for older versions. On the other hand it is >>> claimed that the issue is difficult to exploit, probably because users >>> need to be authenticated. But without further information I rather >>> hesitate to mark this CVE as a minor issue. Any thoughts? >> >> Agreed. I already discussed briefly with ebourg who suggested the same. >> >> Can you prepare an update for jessie-security? >> >> Cheers, >> Moritz > > Yes, I will do so tomorrow. Houston, we have a problem. It seems the latest upstream release requires Java 8 for building JDBC 4. In Jessie even Java 6 was sufficient. I suggest we ship version 5.1.34 of mysql-connector-java instead, which should build fine with Java 6/7 and also fix the security vulnerability. If there is a better way, please let me know. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature